WordPress Sites Running Outdated PHP Exposed to Cyberattacks

Widespread outdated PHP on WordPress increases attack risk

Recent research has revealed a concerning trend: over 70% of WordPress sites running outdated PHP versions are now exposed to cyberattacks. This security lapse, highlighted in a study leveraging Censys internet scanning data, puts millions of websites at risk as attackers increasingly target unpatched systems with known vulnerabilities.

Widespread Use of Outdated PHP on WordPress Sites

WordPress powers more than 40% of all websites globally, relying on PHP as its server-side language. While the WordPress platform receives regular updates, the same is not true for the PHP versions supporting these sites. According to the study, out of 316,000 internet-facing WordPress instances with visible version information, just 30% are running a PHP version that is still supported with security updates.

The remaining 70% are operating on PHP versions that have reached end-of-life, such as PHP 7.4 (which lost support in November 2022). Running end-of-life PHP means that known vulnerabilities are left unpatched, making these sites easy targets for attackers. The issue is not isolated to obscure or neglected web properties, but is prevalent across a wide range of business and personal sites worldwide.

  • 70% of surveyed WordPress sites run outdated PHP versions
  • PHP 7.4, unsupported since November 2022, remains widely used
  • 316,000+ sites analysed using Censys internet-wide scanning

Even when the WordPress core is kept up to date, running on an unsupported PHP backend exposes the site to security flaws such as remote code execution and authentication bypasses. These vulnerabilities have been widely documented and can be exploited by automated tools used by cybercriminals.

Mass Defacement and Exploitation in the Wild

The scale of the problem is not hypothetical. Attackers are actively scanning the internet in search of outdated WordPress and PHP installations. One of the most visible manifestations of this threat is the ongoing “Hacked by MR.GREEN” campaign, which has led to the defacement of at least 900 WordPress sites. In these cases, legitimate site content is replaced with messages from attackers, serving as a clear sign of a successful compromise.

While the precise attack vectors used by MR.GREEN and similar campaigns are not always clear, forensic evidence points to a combination of outdated software, publicly exposed configuration files (like xmlrpc.php), and weak access controls. These factors together create a low barrier for attackers seeking to automate mass exploitation.

The problem is compounded by the widespread use of vulnerable plugins. WordPress plugins are essential for extending site functionality, but many are not kept up-to-date by site owners. Recent data from Censys shows that even popular plugins, such as Yoast SEO, are rarely deployed in their latest, most secure versions. Old plugins often harbour flaws such as authentication bypasses or data exposure vulnerabilities, which attackers can exploit to gain a foothold on the site.

  • 900+ WordPress sites defaced in the MR.GREEN campaign
  • Common weaknesses include outdated plugins and exposed xmlrpc.php files
  • Mass scanning tools automate the search for vulnerable sites

Technical Barriers to Upgrading PHP

One of the main reasons organisations fail to update PHP is the risk of breaking site functionality. Many older plugins and themes are not compatible with the latest PHP versions, and upgrading can sometimes lead to downtime or errors. This creates a dilemma for small and medium-sized businesses in particular, who may lack the resources or expertise to test and safely apply updates.

Despite these challenges, the ongoing exposure of WordPress sites running outdated PHP is a growing concern for the wider internet. Any breach can lead to more than just website defacement. Attackers may also use compromised sites as launchpads for further attacks, malware distribution, phishing, or data theft. As mass exploitation campaigns continue, the number of compromised sites is likely to increase unless proactive steps are taken.

Why This Matters Now

The scale of outdated PHP usage in WordPress sites is a critical risk for businesses and individuals relying on these platforms. The “Hacked by MR.GREEN” campaign provides a real-world demonstration of how quickly attackers can compromise vulnerable systems. Because WordPress is so widely used, vulnerabilities in its ecosystem have an outsized impact on the overall security of the web.

Immediate Actions for Organisations

Organisations running WordPress should:

  • Check their PHP version and prioritise upgrading to a supported release
  • Update core WordPress installations and all plugins
  • Restrict access to configuration files such as xmlrpc.php
  • Test changes in a staging environment to avoid downtime

Addressing outdated PHP is not just about compliance, but about reducing exposure to automated, mass-exploitation campaigns that are currently active.

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Category
Industry Guidance
Published
Jul 8 - 2026
Post Tags
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call